What is Social Engineering?

Also in this issue

Even if you’re not familiar with the term “social engineering,” you may have already been a victim of it. Maybe you’ve clicked on a link in a spam email, or replied to an unsolicited request, only to have your money or information stolen, or your computer infected.

Simply put, social engineering is what cybercriminals use to persuade or deceive you into sharing sensitive information or allowing access to your computer by pretending to be someone or something they aren’t.

This kind of trickery can take many forms, both online and in the real world. You may receive a “breaking news” email containing a dangerous link, or receive a phone call from someone pretending to be from your bank, requesting sensitive financial information. In both cases, the cybercriminals are pretending to be legitimate entities to get your attention.

Another reason why social engineering is so effective is that cybercriminals play on your emotions to get what they want. For instance, after the earthquake and tsunami in Japan cybercriminals sent out scores of bogus emails, calling for sympathy and donations for the victims, just so they could line their pockets.

In addition to sympathy, the bad guys also barter in fear, curiosity and greed. From emails offering fake lottery winnings (greed), to dangerous download sites advertising a preview of the latest Lady Gaga song (curiosity), to devious popup messages that warn you that your computer is at risk (fear), today’s cybercriminals are masters at manipulating our emotions. And because their tricks often look legitimate, it can be hard for you to identify them. You could wind up accidentally infecting your machine, or sharing personal and financial information, potentially leading to monetary loss and even identity theft.

But even though social engineering tricks can be quite convincing, if you stay aware and suspicious you can avoid them. Here are a few tips to help you steer clear of their scams:

Never respond to a message from someone you don't know and never click on a link in an unsolicited message, including instant messages.

Be suspicious of any offer that seems too good to be true, such as the lure of receiving thousands of dollars just for doing a wire transfer for someone else.

If you are unsure whether a request is legitimate, check the address that the email came from and look for telltale signs that it could be a fake, such as typos and incorrect grammar. If you are still unsure, contact the company or organization directly.

When using social networking sites, don't accept friend requests from people you don't know, and limit the amount of personal information you post to your profile.

Be very wary of any unsolicited email or phone call asking you to confirm information. A legitimate company or organization would never ask you to confirm information in this way. Never share sensitive financial of personal information, such as your passwords, birthday and banking details in emails.

Consider using a safe search tool such as McAfee® SiteAdvisor® software, which tells you whether a website is safe right in your search results, helping you navigate away from phony sites.